World Library  
Flag as Inappropriate
Email this Article

Bypass Switch

Article Id: WHEBN0018054236
Reproduction Date:

Title: Bypass Switch  
Author: World Heritage Encyclopedia
Language: English
Subject: Net Optics
Publisher: World Heritage Encyclopedia

Bypass Switch

A bypass switch is a hardware device that provides a fail-safe access port for an in-line monitoring appliance such as an intrusion prevention system (IPS), firewall, WAN optimization device or unified threat management system. In-line monitoring appliances are single points of failure in computer networks because if the appliance loses power, experiences a software failure, or is removed, traffic can no longer flow through the link. The bypass switch removes this point of failure by automatically shunting traffic around the appliance whenever the appliance is incapable of passing traffic.

A bypass switch has four ports. Two network ports create an in-line connection in the network link that is to be monitored. This connection is fully passive; if the bypass switch itself loses power, traffic continues to flow unimpeded through the link. Two monitor ports are used to connect the in-line monitoring appliance. During normal operation, the bypass switch passes all network traffic through the appliance as if it were directly in-line itself. But when the in-line appliance loses power, is disconnected, or otherwise fails, the bypass switch passes traffic directly between its network ports, bypassing the appliance, and ensuring that traffic continues to flow on the network link.

In some products, when the bypass switch shunts traffic around the monitoring appliance, the monitor ports revert to acting like a network tap, mirroring the half-duplex traffic received at the network ports to the monitor ports. In this mode, an attached IPS appliance can be used as an intrusion detection system (IDS) to passively monitor the traffic without affecting it. This mode is useful for analyzing the effectiveness of a signature set before switching to IPS mode and potentially disrupting network traffic.

Multi-segment bypass switches provide a number of independent bypass switches in a single chassis, providing higher density in the equipment rack.


When the bypass switch passes traffic through the attached in-line appliance, it is said to be in bypass-off mode.

When the bypass switch passes traffic directly between the network ports, and bypassing the attached in-line appliance, it is said to be in bypass-on mode.


Using an external bypass switch to connect an in-line appliance such as an IPS has several benefits.[1]

It keeps network traffic flowing when the in-line appliance fails.

It allows the in-line appliance to be removed or serviced without impacting network traffic. For example, an IPS can be taken offline to upgrade signatures, software, or hardware.

The in-line appliance can be moved from one network segment to another without impacting network traffic.

Note that the latter two advantages are not provided by internal bypass-switch functionality that may be integrated within some IPS appliances.


Bypass switches add acquisition cost to the monitoring solution, although they may save cost in the long run by increasing network uptime.

Bypass switches move the single point of failure from the in-line monitoring appliance to the bypass switch itself. This should be a net gain in reliability, because the bypass switch is a simpler device than the monitoring appliance, and because it is designed for fault-tolerance. Nevertheless, reliability is an important criteria when evaluating bypass switch solutions.

Technical information

Bypass switches increase network reliability through several mechanisms including passive in-line connections, link detection, and Heartbeat packets.

The two network ports in a bypass switch create a fully passive in-line connection that maintains traffic flow even in the absence of power. For fiber links, a normally closed optical switch creates a path for light to flow unimpeded through the device when power is absent. For copper links, micro-relays connect the two ports when power is absent.

The bypass switch monitors the status of the links between its monitor ports and the in-line appliance. If a link goes down, the bypass switch immediately switches into bypass-on mode. When the link comes back up again, the bypass switch returns to bypass-off mode and the appliance resumes receiving traffic.

Some bypass switches send a heartbeat packet through the monitoring appliance in order to ensure that the appliance is passing traffic. If the heartbeat packet does not return to the bypass switch, the appliance is assumed to be down, and the switch goes into bypass-on mode, excluding the appliance from the traffic path. The bypass switch continues to transmit heartbeat packets to the appliance, and when they are again returned by the appliance, the bypass switch changes back to bypass-off mode and the appliance resumes receiving traffic....

Whenever the bypass switch transitions to bypass-on mode for any reason, the link may be temporarily dropped. A good bypass switch reconnects the link in under 1 second,[2] but the network may take several seconds to re-establish communications on link.

Device management

Bypass switches may be managed through any of several interfaces: a command-line interface (CLI), a Web browser-based interface, or a platform-based SNMP tool. Management functions may include configuring an IP address for SNMP traps, retrieving RMON statistics, and setting parameters for the heartbeat packet such as packet contents, timing, and retry counts.


See also

This article was sourced from Creative Commons Attribution-ShareAlike License; additional terms may apply. World Heritage Encyclopedia content is assembled from numerous content providers, Open Access Publishing, and in compliance with The Fair Access to Science and Technology Research Act (FASTR), Wikimedia Foundation, Inc., Public Library of Science, The Encyclopedia of Life, Open Book Publishers (OBP), PubMed, U.S. National Library of Medicine, National Center for Biotechnology Information, U.S. National Library of Medicine, National Institutes of Health (NIH), U.S. Department of Health & Human Services, and, which sources content from all federal, state, local, tribal, and territorial government publication portals (.gov, .mil, .edu). Funding for and content contributors is made possible from the U.S. Congress, E-Government Act of 2002.
Crowd sourced content that is contributed to World Heritage Encyclopedia is peer reviewed and edited by our editorial staff to ensure quality scholarly research articles.
By using this site, you agree to the Terms of Use and Privacy Policy. World Heritage Encyclopedia™ is a registered trademark of the World Public Library Association, a non-profit organization.

Copyright © World Library Foundation. All rights reserved. eBooks from Project Gutenberg are sponsored by the World Library Foundation,
a 501c(4) Member's Support Non-Profit Organization, and is NOT affiliated with any governmental agency or department.